Thursday, September 03, 2009

Lori Drew decision published - Breach of terms of use as a criminal offence

When Lori Drew was prosecuted for bullying via MySpace which led to the suicide of Megan Meier many people were worried about the prosecution theory of the case. The basis of the charge was not the bullying itself but rather that by failing to comply with MySpace's terms of use Lori Drew had committed an offence of unauthorised access to a computer. If accepted, this theory would have criminalised failure to abide by terms of use - terms which most users never read and which are often vague and imprecise in their scope - and effectively permitted site owners to provide that a breach of their rules would now be a crime. As Andy Grossman put it, the effect would be that "every site on the Internet gets to define the criminal law. That’s a radical change. What used to be small-stakes contracts become high-stakes criminal prohibitions."

Consequently there was some relief two months ago when the trial judge indicated that he would quash the jury's guilty verdict, but his short oral statement of reasons on that day didn't go into detail as to why the prosecution case was flawed. The full written judgment has now been published, and shows that the trial judge applied the void for vagueness doctrine to find that a prosecution based on simple breach of terms of use would not give fair warning to users as to what actions might be criminal and would criminalise vast numbers of users without providing even minimal guidelines to govern prosecutions.

Would a similar result be reached in Ireland? The position is complicated slightly by the peculiar wording of the relevant offence - which speaks of "access without lawful excuse" rather than "unauthorised access" - but the same underlying principles would apply. The domestic caselaw - in particular King v Attorney General [1981] IR 223 - has established the proposition that the ingredients of an offence must be set out with precision and clarity and this has since been reinforced by ECHR jurisprudence requiring accessibility and foreseeability in criminal offences (e.g. CR v. United Kingdom). In light of those principles, it seems likely that the Irish courts would follow the reasoning in the Lori Drew case.

Some key portions of that ruling are worth quoting:

If a website’s terms of service controls what is “authorized” and what is “exceeding authorization” - which in turn governs whether an individual’s accessing information or services on the website is criminal or not, section 1030(a)(2)(C) would be unacceptably vague because it is unclear whether any or all violations of terms of service will render the access unauthorized, or whether only certain ones will.

For example, in the present case, MySpace’s terms of service prohibits a member from engaging in a multitude of activities on the website, including such conduct as “criminal or tortious activity,” “gambling,” “advertising to . . . any Member to buy or sell any products,” “transmit[ting] any chain letters,” “covering or obscuring the banner advertisements on your personal profile page,” “disclosing your password to any third party,” etc... The MSTOS does not specify which precise terms of service, when breached, will result in a termination of MySpace’s authorization for the visitor/member to access the website.

By utilizing violations of the terms of service as the basis for the... crime, that approach makes the website owner - in essence - the party who ultimately defines the criminal conduct. This will lead to further vagueness problems. The owner’s description of a term of service might itself be so vague as to make the visitor or member reasonably unsure of what the term of service covers. For example, the MSTOS prohibits members from posting in “band and filmmaker profiles . . . sexually suggestive imagery or any other unfair . . . [c]ontent intended to draw traffic to the profile.”

Moreover, website owners can establish terms where either the scope or the application of the provision are to be decided by them ad hoc and/or pursuant to undelineated standards. For example, the MSTOS provides that what constitutes “prohibited content” on the website is determined “in the sole discretion of MySpace.com . . . .” Additionally, terms of service may allow the website owner to unilaterally amend and/or add to the terms with minimal notice to users.

Because terms of service are essentially a contractual means for setting the scope of authorized access, a level of indefiniteness arises from the necessary application of contract law in general and/or other contractual requirements within the applicable terms of service to any criminal prosecution.

Treating a violation of a website’s terms of service, without more, to be sufficient to constitute “intentionally access[ing] a computer without authorization or exceed[ing] authorized access” would result in transforming section 1030(a)(2)(C) into an overwhelmingly overbroad enactment that would convert a multitude of otherwise innocent Internet users into ... criminals... If any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law “that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet].”

Eric Goldman has analysis of the decision and its implications for legal responses to cyberbullying - suggesting that the decision is likely to encourage lawmakers to introduce new offences of online harassment.